CN117725575A - Asset management method based on middleware access log - Google Patents
Asset management method based on middleware access log Download PDFInfo
- Publication number
- CN117725575A CN117725575A CN202311726564.9A CN202311726564A CN117725575A CN 117725575 A CN117725575 A CN 117725575A CN 202311726564 A CN202311726564 A CN 202311726564A CN 117725575 A CN117725575 A CN 117725575A
- Authority
- CN
- China
- Prior art keywords
- access
- middleware
- query
- log
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 39
- 238000004458 analytical method Methods 0.000 claims abstract description 47
- 230000006399 behavior Effects 0.000 claims description 170
- 238000000034 method Methods 0.000 claims description 43
- 230000002159 abnormal effect Effects 0.000 claims description 25
- 235000012907 honey Nutrition 0.000 claims description 13
- 238000012544 monitoring process Methods 0.000 claims description 9
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 5
- 238000013507 mapping Methods 0.000 claims description 5
- 230000003213 activating effect Effects 0.000 claims description 3
- 238000007789 sealing Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 abstract description 11
- 230000007246 mechanism Effects 0.000 abstract description 9
- 238000012545 processing Methods 0.000 abstract description 9
- 230000000694 effects Effects 0.000 abstract description 6
- 230000000875 corresponding effect Effects 0.000 description 17
- 238000001514 detection method Methods 0.000 description 8
- 230000007123 defense Effects 0.000 description 7
- 238000009826 distribution Methods 0.000 description 7
- 238000003066 decision tree Methods 0.000 description 6
- 238000012549 training Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 238000002372 labelling Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 238000013138 pruning Methods 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000002790 cross-validation Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses an asset management method based on middleware access log, which relates to the technical field of network security and comprises the following steps: the middleware log collection module is deployed, connected with middleware and used for collecting middleware access logs; classifying the middleware access logs according to the plurality of application programs to obtain a plurality of middleware access sub-logs corresponding to the plurality of application programs; performing access behavior analysis for a plurality of application programs based on a plurality of middleware access sub-logs respectively, and constructing an access behavior recognition model; receiving an application query statement, detecting the application query statement based on an access behavior recognition model, and obtaining an access behavior judgment result; asset discovery management is performed based on the access behavior determination result. The invention solves the technical problems of the prior art, such as insufficient accuracy and performance and lack of effective response mechanism, and achieves the technical effects of improving the accuracy and speed of detecting attack and providing more effective response processing mechanism.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an asset management method based on middleware access logs.
Background
With the popularity of computer network applications, sensitive information, financial data, etc. of businesses and individuals are transmitted and stored over networks, and thus network security is not only related to the interests of businesses and individuals, but also to social and national security. Intrusion detection and defense technology is the first line of defense for network security and is also the most important line of defense. The existing intrusion detection and defense technology has certain false alarm and false omission problems, namely, normal behaviors are wrongly judged to be attack behaviors, or real attack behaviors cannot be detected, so that unnecessary warning and interference are caused, and an attacker is provided with a chance of bypassing a defense system; with the increase of network traffic and complexity, the existing intrusion detection and defense technology has the problem of performance degradation; when an attack event is detected, the existing intrusion detection and defense technology can only perform simple operations of closing network outlets, servers and the like. The prior art has the technical problems of insufficient accuracy and performance and lack of an effective response mechanism.
Disclosure of Invention
The asset management method based on the middleware access log effectively solves the technical problems of insufficient accuracy and performance and lack of an effective response mechanism in the prior art, and achieves the technical effects of improving the accuracy and speed of attack detection and providing a more effective response processing mechanism.
The application provides an asset management method based on middleware access log, which comprises the following steps:
in a first aspect, an embodiment of the present application provides an asset management method based on a middleware access log, where the method includes:
the method comprises the steps of deploying a middleware log collecting module, connecting middleware based on the middleware log collecting module, and collecting a middleware access log, wherein the middleware access log comprises query information sent to database equipment by a plurality of application programs;
classifying the middleware access logs according to a plurality of application programs to obtain a plurality of middleware access sub-logs corresponding to the plurality of application programs;
performing access behavior analysis for the plurality of application programs based on the plurality of middleware access sub-logs respectively, and constructing an access behavior recognition model;
receiving an application query statement, detecting the application query statement based on the access behavior recognition model, and obtaining an access behavior judgment result;
and performing asset discovery management based on the access behavior judgment result.
In a second aspect, embodiments of the present application provide an asset management system based on a middleware access log, the system comprising:
the middleware log collection module is used for deploying the middleware log collection module, connecting middleware based on the middleware log collection module, and collecting middleware access logs, wherein the middleware access logs comprise query information sent to database equipment by a plurality of application programs;
the middleware access sub-log acquisition module is used for classifying the middleware access logs according to a plurality of application programs and acquiring a plurality of middleware access sub-logs corresponding to the plurality of application programs;
the access behavior recognition model building module is used for carrying out access behavior analysis on the plurality of application programs based on the plurality of middleware access sub-logs respectively and building an access behavior recognition model;
the access behavior judgment result acquisition module is used for receiving application query sentences, detecting the application query sentences based on the access behavior recognition model and acquiring access behavior judgment results;
and the asset discovery management module is used for carrying out asset discovery management based on the access behavior judgment result.
One or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
according to the method, a middleware log collection module is deployed, middleware is connected based on the middleware log collection module, middleware access logs are collected, wherein the middleware access logs comprise query information sent to database equipment by a plurality of application programs, the middleware access logs are classified according to the plurality of application programs, a plurality of middleware access sub-logs corresponding to the plurality of application programs are obtained, further access behavior analysis is carried out on the plurality of application programs based on the plurality of middleware access sub-logs respectively, an access behavior recognition model is built, after the access behavior recognition model is built, application query sentences are received, detection is carried out on the application query sentences based on the access behavior recognition model, access behavior judgment results are obtained, and finally asset discovery management is carried out based on the access behavior judgment results. The method effectively solves the technical problems of the prior art, such as insufficient accuracy and performance and lack of effective response mechanism, and achieves the technical effects of improving the accuracy and speed of attack detection and providing a more effective response processing mechanism.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of an asset management method based on a middleware access log according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an asset management system based on a middleware access log according to an embodiment of the present application.
Reference numerals illustrate: the system comprises a middleware log collection module 1, a middleware access sub-log acquisition module 2, an access behavior identification model construction module 3, an access behavior judgment result acquisition module 4 and an asset discovery management module 5.
Detailed Description
The asset management method based on the middleware access log is used for solving the technical problems of accuracy and performance deficiency and lack of an effective response mechanism in the prior art.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.
It should be noted that the terms "comprises" and "comprising," along with any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
As shown in fig. 1, the present invention provides an asset management method based on middleware access log, for improving network security protection capability and level, the method comprising:
and deploying a middleware log collection module, connecting middleware based on the middleware log collection module, and collecting a middleware access log, wherein the middleware access log comprises query information sent to database equipment by a plurality of application programs. Specifically, the middleware log collection module is a data module specifically designed to collect middleware access logs, and is used for monitoring application program access logs of the middleware, and collecting, sorting and storing the log data. The middleware is a separate service program, and the middleware log collection module can be connected to the middleware through a specific interface or protocol, so that middleware access logs can be collected and monitored. The middleware access log is a special data record, which records interaction information between the application program and the database device, thus comprising query information sent by a plurality of application programs to the database device, wherein the query information comprises operations such as reading, writing, updating and the like of the application programs on the database, and information such as execution results and response time of the operations. The deployment middleware log collection module can be connected with middleware to collect middleware access logs, monitor application programs and databases and timely discover and master asset information in a network.
And classifying the middleware access logs according to the plurality of application programs to obtain a plurality of middleware access sub-logs corresponding to the plurality of application programs. Specifically, the middleware log collection module first identifies and distinguishes different application programs, which can be achieved by analyzing application program identifiers or specific protocol information in the log data, and after identifying different application programs, the middleware log collection module divides related log data into different sub-logs, and the sub-logs have a one-to-one correspondence with access logs of each application program.
And respectively carrying out access behavior analysis on the plurality of application programs based on the plurality of middleware access sub-logs, and constructing an access behavior recognition model. Specifically, preprocessing is performed on data of a middleware access sub-log, including data cleaning, deduplication, format conversion and the like, data items capable of reflecting access behavior characteristics, such as access time, request frequency, request content and the like, are extracted from the preprocessed middleware access sub-log, a data mining algorithm is selected by utilizing the extracted characteristic data, a model capable of automatically identifying and predicting access behaviors is constructed, and finally, the accuracy, stability and the like of the constructed access behavior identification model are evaluated, and the model is optimized and adjusted according to an evaluation result.
Taking a decision tree algorithm as an example, the embodiment of the application explains an access behavior recognition model construction method: dividing the data set after feature extraction into a training set and a testing set, wherein the training set is used for constructing a model, and the testing set is used for evaluating the performance of the model; selecting appropriate features for partitioning, for example, partitioning the data set into different subsets according to access time, request frequency, etc. features; selecting optimal division criteria, such as information gain, coefficient of kunning, etc., for evaluating the quality of the division based on the result of the division; recursively generating decision trees, each node being partitioned according to partition criteria until a stopping condition is met, e.g. the data in the node all belong to the same class or the partition criteria are no longer met; pruning is carried out on the generated decision tree to avoid the problem of over fitting, for example, a cross-validation mode can be used for pruning to obtain a more accurate model; and evaluating the constructed decision tree model by using the test set. Through the steps, an access behavior recognition model based on a decision tree can be constructed and used for automatically recognizing and predicting access behaviors.
And receiving an application query statement, detecting the application query statement based on the access behavior recognition model, and obtaining an access behavior judgment result. The application query statement refers to a query statement used when an application program interacts with a database, and can appear in various forms, such as an SQL query, an API request or other forms of query, where the query statement is used to obtain, update or delete data from the database to meet the requirements of the application program. After the middleware log collection module receives query sentences from application programs or users, some preprocessing is carried out on the query sentences, such as unnecessary blank space removal, case conversion and the like, so as to ensure consistency of subsequent processing, then the preprocessed application query sentences are input into an access behavior recognition model for detection, the access behavior recognition model utilizes the internal characteristics of the access behavior recognition model to compare and analyze the access behavior recognition model with the input query sentences to generate an access behavior judgment result of the query sentences, and the access behavior judgment result can be a binary label, such as normal or abnormal, a probability value or a more specific description.
And performing asset discovery management based on the access behavior judgment result. The asset discovery management refers to discovering and managing various resources in a network, including servers, network equipment, software, data and the like, by collecting and analyzing various asset information in a computer network environment, so as to improve the security protection capability and level of enterprises and reduce security risks and vulnerabilities. Specifically, according to the access behavior judgment result, the middleware log collection module can find potential security risks and vulnerabilities in the application query statement, for example, identify abnormal queries, malicious requests or potential SQL injection attacks, and the like, and further, the middleware log collection module can take corresponding measures to deal with and prevent, for example, log recording, alarm notification, malicious request prevention, query performance optimization, and the like, and the middleware log collection module can update asset information in the network according to the access behavior judgment result, including identifying new assets, updating states of existing assets, repairing vulnerabilities, and the like. The method and the device achieve the technical effects of improving the accuracy and the speed of detecting the attack, providing a more effective response processing mechanism and further finally improving the network security protection capability and the level.
In a preferred implementation manner provided in the embodiments of the present application, the query information includes a query statement, a query time, a query type, and a query database. Specifically, a query statement is an SQL statement that an application sends to a database for execution, reflecting the access pattern and operation of the application to the database, such as SELECT, INSERT, UPDATE or DELETE, etc. The query time is the time the application sends a query statement, reflects the frequency and time distribution of queries, and can be used to evaluate the performance and bottleneck of the database. The query type is a type or category of query statement, such as interactive queries, batch queries, or stored procedures, etc. Querying databases is the name or identifier of the database queried by an application, based on which databases are known to be accessed and used. Through the query information, the middleware log collection module can better know the access behavior of the application program and monitor the performance of the database, so that potential security risks and vulnerabilities can be found.
In another preferred implementation manner provided in the embodiments of the present application, performing access behavior analysis for the plurality of application programs based on the plurality of middleware access sub-logs, respectively, and constructing an access behavior recognition model includes:
and constructing a behavior analysis coordinate system, wherein coordinate axes of the behavior analysis coordinate system comprise the query type, the query time and the query database. Specifically, a three-dimensional space behavior analysis coordinate system is constructed, the x-axis represents query time, the y-axis represents query type, the z-axis represents query database, and visual knowledge of access behaviors of corresponding application programs and use conditions of the database can be obtained by observing positions and distribution conditions of various query information in the coordinate system. For example, the distribution of a certain query type, the use of a certain database, the distribution of different query types at different times, etc. may be observed.
Traversing the middleware access sub-logs to obtain a first middleware access sub-log, and constructing a first access behavior recognition channel by using the first middleware access sub-log to obtain a plurality of access behavior recognition channels. The first middleware access sub-log is any one of a plurality of middleware access sub-logs. Specifically, first, a plurality of middleware access sub-log files are read and parsed, any one of the middleware access sub-logs is used as a first middleware access sub-log, query information (query type, query time, query database) in the first middleware access sub-log is used for data aggregation and statistics, for example, indexes such as request times, response time, error rate and the like of each query type can be counted, indexes such as query times, execution time and the like of each database can be counted, and a data stream or data set capable of identifying and representing access behaviors is constructed through the aggregation and statistics data, wherein the data stream or the data set is a first access behavior identification channel. Then, the same processing and channel construction operations are performed on each middleware access sub-log, so that a plurality of access behavior recognition channels are obtained.
And merging the access behavior recognition channels to obtain an access behavior recognition model. Specifically, the data streams or data sets in the access behavior recognition channels are integrated to form a unified data set or data stream, and in order to ensure the accuracy and consistency of the data, operations such as cleaning, conversion, standardization and the like can be performed on the data. If some channels with insufficient data exist, a data expansion method can be adopted to increase the size of the data set, for example, the existing data set can be duplicated, analog data can be generated for filling, or additional data can be generated by using techniques such as migration learning. And further extracting features of the integrated data stream or data set to improve the performance and accuracy of the model. A deep learning model, such as a decision tree, support vector machine, neural network, or the like, is selected and model training is performed using the integrated data stream or data set. After model training is completed, the model is evaluated by using the test data set, including indexes such as accuracy, precision, recall rate and the like, and according to the evaluation result, model parameters are further adjusted, a model structure is improved or other optimization measures are adopted so as to improve the performance and the accuracy of the model. After model training and optimization are completed, the access behavior recognition model is obtained, and can be used for recognizing and monitoring access behaviors in real time. The access behavior recognition model constructed by the method has higher accuracy, universality and expandability, and when a new middleware access sub-log is generated, the model can be expanded by adding a new channel, so that the model is ensured to have wider application range.
In another preferred implementation manner provided in the embodiments of the present application, traversing a plurality of middleware access sub-logs, obtaining a first middleware access sub-log, and constructing a first access behavior identification channel with the first middleware access sub-log, where the method includes:
traversing the plurality of application programs and acquiring a first application program. Specifically, any one of all available applications is selected as the first application.
And acquiring the first middleware access sub-log from the plurality of middleware access sub-logs based on the first application program. Specifically, among the plurality of middleware access sub-logs, a first middleware access sub-log corresponding to the first application program is found.
And extracting query information in the first middleware access sub-log as first query information, wherein the first query information comprises a first query statement, a first query time, a first query type and a first query database. In particular, query information is extracted from the first middleware access sub-log, including query statements, query times, query types, and query database information, which are used to represent and identify access behaviors.
And mapping the first query time, the first query type and the first query database into a behavior analysis coordinate system to obtain a first behavior analysis coordinate system. Specifically, in the three-dimensional space behavior analysis coordinate system, corresponding coordinate points are marked according to coordinate values (first query time, first query type, first query database) of the first query information, and the coordinate points represent specific query events or access behaviors, so that the first behavior analysis coordinate system containing the first query information can be obtained.
And marking the normal access behavior and the abnormal access behavior on the first behavior analysis coordinate system to obtain a first behavior marking coordinate system. Specifically, first, what is normal access behavior and abnormal access behavior is defined based on business logic and targets according to the needs and context of an application. And checking the data distribution condition in the first behavior analysis coordinate system, and determining the number and distribution of different query times, query types and access behaviors of the query database. According to the defined normal access behaviors and abnormal access behaviors, corresponding coordinate points are found in a first behavior analysis coordinate system, marking or assigning is carried out, which access behaviors are normal and which access behaviors are abnormal, and for access behaviors which cannot be definitely classified as normal or abnormal, the access behaviors are marked as unknown or corresponding uncertain categories, and the marks are used for identifying noise or abnormal points in data in subsequent analysis. After the labeling step, a first behavior labeling coordinate system containing normal and abnormal access behaviors can be obtained.
And marking a coordinate system by using the first query statement and the first behavior to acquire a first access behavior recognition channel. Specifically, features of the query statement, including the length of the query statement, keywords, grammar structures, etc., are extracted from the first query information for use as input for subsequent model training. And mapping the characteristics of the query statement to a first behavior annotation coordinate system to find out a corresponding behavior category (normal or abnormal). And constructing a neural network model according to the mapping result so as to predict the corresponding behavior category according to the characteristics of the query statement. The predicted results are then combined with the original query statement to form a first access behavior recognition channel, where each query statement has a corresponding behavior class label (normal or abnormal). The first access behavior recognition channel is constructed by the method, so that the data comprehensiveness and accuracy are improved, the feature diversity is increased, the time and space universality is enlarged, and the interpretability and the intelligent degree of the model are improved.
In another preferred implementation manner provided in the embodiment of the present application, the method further includes:
a database metadata information set is constructed. Wherein the database metadata information set is an information set about data in a database, and the information includes database architecture information (such as tables, fields, indexes, etc.), data types, data distribution, etc. Specifically, related metadata information is collected from a database by querying the database system or using a special metadata collection tool, and then the metadata information is subjected to data cleaning and integration, including duplicate information removal, unified data format, data inconsistency solving and the like, and the cleaned and integrated metadata are integrated together to construct a concentrated metadata information set, including data dictionary, data directory and the like.
Analyzing the application query statement, obtaining query statement elements, and matching the query statement elements in the database metadata information set to obtain metadata access judgment results. Wherein, the query statement elements refer to various elements in the query statement, such as table names, field names, query conditions, and the like. Specifically, the application query statement is parsed by using tools such as an SQL parser or a query optimizer to obtain a grammar tree or a query plan, and then elements of the query statement are extracted from the grammar tree or the query plan. For example: if the received query statement is "SELECT FROM users WHERE age >20", then a syntax tree or query plan can be obtained by parsing this query statement and then extracting the query elements from it, such as the table names "users" and the query conditions "age >20". Then searching whether there is data matching with the elements in the metadata information set of the database, and if matching data is found, making metadata access judgment according to the matching results. For example, if table names and field names in a query statement exist in a metadata information set and meet security policy or access control requirements, then query behavior is considered legal and execution may be allowed. Otherwise, a warning may be issued or execution of the query may be denied.
And performing asset discovery management based on the access behavior judgment result and the metadata access judgment result. Specifically, assets are first defined, including tables, fields, data types, etc. in a database, and classified according to certain criteria, such as importance, sensitivity, access frequency, etc. The assets are marked in combination with the access behavior determination results and the metadata access determination results, for example, tables or fields related to sensitive data may be marked according to query statement elements and matching results, or data may be marked according to access frequency and number of queries. Based on the definition, classification and marking of the asset, corresponding security policies are formulated, for example, for assets involving sensitive data, access rights, encrypted transmissions, etc. may be restricted. The assets are monitored and audited to ensure the validity of the security policy, for example, access logs, abnormal operations, etc. of the database may be monitored, and queries involving sensitive data are audited to ensure the security and reliability of the database. By the method, the interaction behavior of the application program and the database can be comprehensively known, query sentences can be efficiently detected, and the safety and the integrity of the database are protected.
In another preferred implementation manner provided in the embodiment of the present application, the method further includes:
and building a honeypot database based on the middleware access log and the database equipment. The honeypot database is a decoy database and comprises false decoy data with high attack value and known vulnerabilities, so that an attacker is induced to launch attacks on the decoy data, and when the attacker tries to access or attack the decoy data, the system can record and audit attack flow, behaviors and data of the attacker in real time, so that the attack behaviors can be captured and analyzed. Specifically, the middleware access log is associated with the database device, and then a honeypot database is created using this information to entice an attacker to perform an attack on the implementation.
And activating the honey database, monitoring whether the application query statement is accessed, and obtaining a honey access judgment result. Specifically, after the honey pot database is built, the honey pot database is started by running a corresponding program or service, and then certain characteristics or parameters of the database are set or adjusted, so that the honey pot characteristics are activated, and the honey pot database has the characteristics of attracting and monitoring the attack behaviors. Then, monitoring whether the application query statement accesses the honeypot database is started, and if the application query statement attempts to access the honeypot database, the result of the access behavior, that is, the honeypot access judgment result, can be obtained, and through the result, possible attack behaviors can be found.
And performing asset discovery management based on the access behavior judgment result, the metadata access judgment result and the honey access judgment result. Specifically, the access behavior judgment result, the metadata access judgment result and the honeypot access judgment result are integrated together, and the results are compared, correlated and analyzed to find common points or inconsistencies. Based on the integrated judgment result, the possible threats or loopholes are analyzed, including identifying abnormal access behavior patterns, query sentences which do not accord with normal metadata access specifications, or attack attempts aiming at the honeypot database. Based on the results of the analysis, corresponding management measures are formulated to protect the asset, such as immediately quarantining the attacked database or application, preventing potential attack, or repairing the discovered vulnerability. And finally, the potential safety risk is reduced through repairing work such as updating a safety strategy, reinforcing a system, installing patches and the like. The method combines access behavior analysis, metadata analysis and honeypot technology, and achieves the technical effect of improving the safety and performance of the database.
In another preferred implementation manner provided in the embodiment of the present application, the method further includes:
when the access behavior judging result is abnormal access behavior, generating alarm information, wherein the alarm information comprises query sentences, query time, query users, query sources, a query database and abnormal behavior types. Specifically, when the access behavior determination result shows that there is an abnormal access behavior, alarm information is generated, the alarm information including information of a query sentence, a query time, a query user, a query source, a query database, and an abnormal behavior type, which describes details of the query sentence that causes abnormal access, including what time the query was executed, who executed the query, from which source the query was issued, to which database the query was executed, and the abnormal behavior type of the query.
Pushing the alarm information to a safe operation analysis platform, performing secondary judgment and analysis on the alarm information, and confirming whether the alarm information is actually accessed abnormally. The safety operation analysis platform is a situation analysis and safety operation platform, can be used for converging, relating and analyzing safety information such as multi-source assets, risks, threats, events and the like, displaying the situation, alarming and processing, and provides one-stop safety service for investigation of risks in advance, safety monitoring in the event and tracking and tracing the source after the event. Specifically, after the alarm information is generated, the alarm information is pushed to a safe operation analysis platform for secondary judgment and analysis, for example, the alarm information and the information of other safe data sources are subjected to association analysis, so that whether the alarm information is actually accessed abnormally or not is judged more accurately.
And when the alarm information is real abnormal access, linking a boundary firewall, and sealing and banning the request IP of the application query statement. Specifically, if the alarm information is confirmed to be truly abnormal access through secondary judgment and analysis of the security operation analysis platform, the system can link the boundary firewall to block the request IP of the application query statement (the blocking can be temporary for further investigation or permanent depending on the specific situation and the security policy of the enterprise), so that the occurrence of abnormal access behavior can be immediately prevented, and the security of the system is protected. The method carries out more comprehensive monitoring and alarm processing by pushing the alarm information to the safe operation analysis platform, thereby realizing more comprehensive and efficient asset discovery and management.
Example two
Based on the same inventive concept as the asset management method based on the middleware access log in the foregoing embodiments, as shown in fig. 2, the present application provides an asset management system based on the middleware access log, and the system and method embodiments in the embodiments of the present application are based on the same inventive concept. Wherein the system comprises:
the middleware log collecting module 1 is used for deploying a middleware log collecting module, connecting middleware based on the middleware log collecting module and collecting middleware access logs, wherein the middleware access logs comprise query information sent to database equipment by a plurality of application programs;
the middleware access sub-log obtaining module 2 is used for classifying the middleware access logs according to a plurality of application programs and obtaining a plurality of middleware access sub-logs corresponding to the plurality of application programs;
the access behavior recognition model building module 3 is used for performing access behavior analysis on the plurality of application programs based on the plurality of middleware access sub-logs respectively, and building an access behavior recognition model;
the access behavior judgment result acquisition module 4 is used for receiving an application query statement, detecting the application query statement based on the access behavior recognition model, and acquiring an access behavior judgment result;
and the asset discovery management module 5 is used for performing asset discovery management based on the access behavior judgment result.
Further, the middleware log collection module 1 is configured to perform the following method:
the query information comprises a query statement, a query time, a query type and a query database.
Further, the access behavior recognition model building module 3 is configured to perform the following method:
constructing a behavior analysis coordinate system, wherein coordinate axes of the behavior analysis coordinate system comprise the query type, the query time and the query database;
traversing a plurality of middleware access sub-logs to obtain a first middleware access sub-log, and constructing a first access behavior recognition channel by using the first middleware access sub-log to obtain a plurality of access behavior recognition channels;
and merging the access behavior recognition channels to obtain an access behavior recognition model.
Further, the access behavior recognition model building module 3 is configured to perform the following method:
traversing a plurality of application programs to obtain a first application program;
acquiring the first middleware access sub-log from the plurality of middleware access sub-logs based on the first application program;
extracting query information in the first middleware access sub-log as first query information, wherein the first query information comprises a first query statement, a first query time, a first query type and a first query database;
mapping the first query time, the first query type and the first query database into a behavior analysis coordinate system to obtain a first behavior analysis coordinate system;
marking normal access behaviors and abnormal access behaviors on the first behavior analysis coordinate system to obtain a first behavior marking coordinate system;
and marking a coordinate system by using the first query statement and the first behavior to acquire a first access behavior recognition channel.
Further, the asset discovery management module 5 is configured to perform the following method:
constructing a database metadata information set;
analyzing the application query statement to obtain query statement elements, and matching the query statement elements in the database metadata information set to obtain metadata access judgment results;
and performing asset discovery management based on the access behavior judgment result and the metadata access judgment result.
Further, the asset discovery management module 5 is configured to perform the following method:
building a honeypot database based on the middleware access log and the database equipment;
activating the honey database, monitoring whether the application query statement is accessed, and obtaining a honey access judgment result;
and performing asset discovery management based on the access behavior judgment result, the metadata access judgment result and the honey access judgment result.
Further, the asset discovery management module 5 is configured to perform the following method:
when the access behavior judgment result is an abnormal access behavior, generating alarm information, wherein the alarm information comprises query sentences, query time, query users, query sources, a query database and abnormal behavior types;
pushing the alarm information to a safe operation analysis platform, performing secondary judgment and analysis on the alarm information, and confirming whether the alarm information is actually accessed abnormally;
and when the alarm information is real abnormal access, linking a boundary firewall, and sealing and banning the request IP of the application query statement.
It should be noted that the sequence of the embodiments of the present application is merely for description, and does not represent the advantages and disadvantages of the embodiments. And the foregoing description has been directed to specific embodiments of this specification. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The foregoing description of the preferred embodiments of the present application is not intended to limit the invention to the particular embodiments of the present application, but to limit the scope of the invention to the particular embodiments of the present application.
The specification and drawings are merely exemplary of the application and are to be regarded as covering any and all modifications, variations, combinations, or equivalents that are within the scope of the application. It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the present application and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (8)
1. An asset management method based on a middleware access log, the method comprising:
the method comprises the steps of deploying a middleware log collecting module, connecting middleware based on the middleware log collecting module, and collecting a middleware access log, wherein the middleware access log comprises query information sent to database equipment by a plurality of application programs;
classifying the middleware access logs according to a plurality of application programs to obtain a plurality of middleware access sub-logs corresponding to the plurality of application programs;
performing access behavior analysis for the plurality of application programs based on the plurality of middleware access sub-logs respectively, and constructing an access behavior recognition model;
receiving an application query statement, detecting the application query statement based on the access behavior recognition model, and obtaining an access behavior judgment result;
and performing asset discovery management based on the access behavior judgment result.
2. The method of claim 1, wherein the query information comprises a query statement, a query time, a query type, a query database.
3. The method of claim 2, wherein performing access behavior analysis for the plurality of applications based on the plurality of middleware access sub-logs, respectively, and constructing an access behavior recognition model comprises:
constructing a behavior analysis coordinate system, wherein coordinate axes of the behavior analysis coordinate system comprise the query type, the query time and the query database;
traversing a plurality of middleware access sub-logs to obtain a first middleware access sub-log, and constructing a first access behavior recognition channel by using the first middleware access sub-log to obtain a plurality of access behavior recognition channels;
and merging the access behavior recognition channels to obtain an access behavior recognition model.
4. The method of claim 3, wherein traversing the plurality of middleware access sub-logs, obtaining a first middleware access sub-log, building a first access behavior identification channel with the first middleware access sub-log, comprises:
traversing a plurality of application programs to obtain a first application program;
acquiring the first middleware access sub-log from the plurality of middleware access sub-logs based on the first application program;
extracting query information in the first middleware access sub-log as first query information, wherein the first query information comprises a first query statement, a first query time, a first query type and a first query database;
mapping the first query time, the first query type and the first query database into a behavior analysis coordinate system to obtain a first behavior analysis coordinate system;
marking normal access behaviors and abnormal access behaviors on the first behavior analysis coordinate system to obtain a first behavior marking coordinate system;
and marking a coordinate system by using the first query statement and the first behavior to acquire a first access behavior recognition channel.
5. The method according to claim 1, wherein the method further comprises:
constructing a database metadata information set;
analyzing the application query statement to obtain query statement elements, and matching the query statement elements in the database metadata information set to obtain metadata access judgment results;
and performing asset discovery management based on the access behavior judgment result and the metadata access judgment result.
6. The method of claim 5, wherein the method further comprises:
building a honeypot database based on the middleware access log and the database equipment;
activating the honey database, monitoring whether the application query statement is accessed, and obtaining a honey access judgment result;
and performing asset discovery management based on the access behavior judgment result, the metadata access judgment result and the honey access judgment result.
7. The method according to claim 1, wherein the method further comprises:
when the access behavior judgment result is an abnormal access behavior, generating alarm information, wherein the alarm information comprises query sentences, query time, query users, query sources, a query database and abnormal behavior types;
pushing the alarm information to a safe operation analysis platform, performing secondary judgment and analysis on the alarm information, and confirming whether the alarm information is actually accessed abnormally;
and when the alarm information is real abnormal access, linking a boundary firewall, and sealing and banning the request IP of the application query statement.
8. An asset management system based on a middleware access log, the system comprising:
the middleware log collection module is used for deploying the middleware log collection module, connecting middleware based on the middleware log collection module, and collecting middleware access logs, wherein the middleware access logs comprise query information sent to database equipment by a plurality of application programs;
the middleware access sub-log acquisition module is used for classifying the middleware access logs according to a plurality of application programs and acquiring a plurality of middleware access sub-logs corresponding to the plurality of application programs;
the access behavior recognition model building module is used for carrying out access behavior analysis on the plurality of application programs based on the plurality of middleware access sub-logs respectively and building an access behavior recognition model;
the access behavior judgment result acquisition module is used for receiving application query sentences, detecting the application query sentences based on the access behavior recognition model and acquiring access behavior judgment results;
and the asset discovery management module is used for carrying out asset discovery management based on the access behavior judgment result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311726564.9A CN117725575A (en) | 2023-12-15 | 2023-12-15 | Asset management method based on middleware access log |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311726564.9A CN117725575A (en) | 2023-12-15 | 2023-12-15 | Asset management method based on middleware access log |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117725575A true CN117725575A (en) | 2024-03-19 |
Family
ID=90204681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311726564.9A Pending CN117725575A (en) | 2023-12-15 | 2023-12-15 | Asset management method based on middleware access log |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117725575A (en) |
-
2023
- 2023-12-15 CN CN202311726564.9A patent/CN117725575A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gupta et al. | Layered approach using conditional random fields for intrusion detection | |
| US6347374B1 (en) | Event detection | |
| CN101610174B (en) | Log correlation analysis system and method | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| CN109347808B (en) | Safety analysis method based on user group behavior activity | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN112738040A (en) | Network security threat detection method, system and device based on DNS log | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN108881316B (en) | Attack backtracking method under heaven and earth integrated information network | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| CN114021040A (en) | Method and system for alarming and protecting malicious event based on service access | |
| CN114915479A (en) | Web attack phase analysis method and system based on Web log | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| CN117195250A (en) | Data security management method and system | |
| CN117454376A (en) | Industrial Internet data security detection response and tracing method and device | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN113312615B (en) | Terminal detection and response system | |
| CN116915515B (en) | Access security control method and system for industrial control network | |
| CN117118857A (en) | Knowledge graph-based network security threat management system and method | |
| Wen et al. | Detecting and predicting APT based on the study of cyber kill chain with hierarchical knowledge reasoning | |
| Pangsuban et al. | A real-time risk assessment for information system with cicids2017 dataset using machine learning | |
| CN114422341B (en) | Industrial control asset identification method and system based on fingerprint characteristics | |
| CN117725575A (en) | Asset management method based on middleware access log | |
| CN114500122A (en) | Specific network behavior analysis method and system based on multi-source data fusion | |
| CN114116793A (en) | Data asset discovery platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |